makyen
commented
4 years ago The data received from the MS API is sourced from the SE API, which performs sanitation upon the data prior to sending it out on the SE API. Unless we have asked for the unsafe data from the SE API, which we haven't, SE guarantees that we can convert directly to HTML without security concerns. So, this issue should not be of significant concern for the username.
However, it is a concern for the raw title and body obtained from the MS API, because those have been processed by SD in a way that makes them unsafe.
So, no, this is not an issue specifically for the username. But, yes, there is an issue here for FIRE for the body and title, which are resolved in an upcoming version.
It appears that FIRE is not escaping username: https://github.com/Charcoal-SE/userscripts/blob/f09df0b0400e1a543456268d871c4acdf26f666f/fire/fire.user.js#L1186 Although username is restricted to 30 characters, there is a theoretical possibility that it can be used for js injection and may leak out sensitive data.